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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)D Responsive to communication(s) filed on . 

2a)D This action is FINAL. 2b)(^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 1 1 , 453 O.G. 21 3. 
Disposition of Claims 

4) S Claim(s) 7-79 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) S Claim(s) 1-19 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)Q accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

11) D The proposed drawing correction filed on is: a)D approved b)D disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) D The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§ 119 and 120 

1 3) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (0. 

a)DA!l Some*c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 119(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 

Attachment! s) 

1 ) D Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) Paper No(s). . 

2) O Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) Q Notice of Informal Patent Application (PTO-152) 

3) O Information Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) O Other: 
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DETAILED ACTION 

Continued Examination Under 37 CFR I A 14 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1 .17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on April 24, 2003 has been entered. 

Response to Amendment 
Applicant has amended claims 1-17, and therefore claims 1-19 are now pending. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1 and 9 have been considered but are moot 
in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 
1. The following is a quotation of 35 U.S.C 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 




' Application/Control Number: 09/446,583 Page 3 

Art Unit: 2143 

2. Claims 1-4, 8-1 1, 13, 15-19 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
US. Patent No. 5,708,780 to Levergood et al. in view of Kirsch. 

Regarding claim 1, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to documents stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); receiving at the resource server 
authentication data for a user from a client terminal of the user, and validating at the resource 
server said authentication data by reference to said stored authentication details (column 3, lines 
25-26 and column 6, lines 58-60); and enabling said resource server to validate a request for said 
document from the client terminal of said user, which request includes said identifier, by 
checking that said stored access status includes said document (column 6, lines 58-65 and 
column 7, lines 51-53 and 63-67 and Fig.2B). 

Levergood et al. does not teach storing in the resource server authentication details and 
access status data of authorized users. Kirsch teaches storing in the resource server authentication 
details and access status data of authorized users; storing at the resource server (1) an identifier 
for the client terminal, the identifier indicating said terminal to be currently authenticated 
terminal; and (2) the access status of the user of the currently authenticated terminal (column 2, 
lines 34-37 and 42-46 and column 4, lines 51-54 and 58-64). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to further 
modify the internet server access control and monitoring system of Levergood et al. by storing in 
the resource server authentication details and access status data of authorized users because this 
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provides added security in a efficient manner where the server can verify authentication by 
comparing client submitted identification with the stored access status data of the server. 

Regarding claim 2, Levergood et al. teaches a method according to claim 1, wherein said 
identifier is transmitted to said client terminal (column 3, lines 30-32). 

Levergood et al. does not teach the transmission of the identifier in a cookie. Kirsch 
teaches that said identifier is transmitted in a cookie to said user's client terminal (column 3, 
lines 14-16 and column 13, lines 1 1-13). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to further modify the internet server 
access control and monitoring system of Levergood et al. by transmitting the identifier in a 
cookie because it is a more secure manner of storage and transport of identification data. 

Regarding claim 9, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); performing at the at least one of the resource 
servers remote authentication of a user by reference to said stored authentication details (column 
3, lines 25-26 and column 6, lines 58-65 and column 7, lines 51-53 and 63-67 and Fig.2B) and 
during said remote authentication step generating the access status data of the user, 
distinguishing said user from other users which are not currently authenticated (column 6, lines 
61-63), and a secret encryption key shared with said user (column 5, lines 61-65); resource 
servers to check an authentication status of said user by using an identifier for the user's client 
terminal received in a service request (column 3, lines 13-16 and column 6, lines 58-65 and 
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column 7, lines 51-53 and 63-67 and Fig.2B); and storing said shared secret key in a data store 
accessible by at least one of said resource servers for use during communications with said user 
(column 5, lines 61-65). 

Levergood et al. does not teach storing in at least one of the resource servers 
authentication details and access status data of authorized users. Kirsch teaches storing in at least 
one of the resource servers authentication details and access status data of authorized users; 
storing said access status data in the at least one of the resource servers to check authentication 
status of said user by using an identifier for the client terminal received in a service request to 
check the stored access status data (column 2, lines 34-37 and 42-46 and column 4, lines 51-54 
and 58-64). Therefore, it would have been obvious to one having ordinary skill in the art at the 
time the invention was made to further modify the Internet server access control and monitoring 
system of Levergood et al. by storing in at least one of the resource servers authentication details 
and access status data of authorized users because this provides added security in a efficient 
manner where the server can verify authentication by comparing client submitted identification 
with the stored access status data of the server. 

Referring to claim 3, Levergood et al. teaches a method according to claim 1, wherein 
said authentication step comprises receiving said identifier from said client terminal with said 
authentication data (column 3, lines 44-47). 

Regarding claim 4, Levergood et al teaches a method according to claim 3, wherein a 
new identifier is issued to said client terminal if said authentication data is invalid (column 5, 
lines 46-49). 
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Referring to claim 8, Levergood et al. teaches a method according to claim 1, comprising 
authenticating said user for access to a plurality of Web servers located in the same Internet 
domain (column 3, lines 66-67); and enabling each of said Web servers to validate document 
requests from the client terminal, which requests include said identifier (column 3, lines 44-45), 
by checking said status data on receipt of a document request (column 6, lines 58-60). 

Referring to claim 10, Levergood et al. teaches a method according to claim 9, wherein 
said remote authenticating step comprises issuing a challenge to the client terminal, receiving a 
response to said challenge, and verifying said response (column 6, lines 45-49 and 58-60). 

Referring to claim 1 1 , Levergood et al. teaches a method according to claim 9, further 
comprising updating said access status data for an authenticated user following said storing step 
(column 7, lines 31-34 and 63-64). 

Regarding claim 13, Levergood et al. teaches a method according to claim 1 1, wherein 
said updating step is performed in response to access by one of said resource servers to said 
access status data (column 8, lines 52-55). 

Regarding claim 15, Levergood et al. teaches a method according to claim 9, wherein 
said identifier is an IP address of the client terminal (column 1, lines 39-41). 

Referring to claim 16, Levergood et al. teaches a method according to claim 9, wherein 
said authentication step comprises issuing said identifier to the client terminal (column 3, lines 
30-32). 

Regarding claim 17, Levergood et al. teaches a method according to claim 9, wherein 
said access status data is stored in a data store of at least one of said resource servers (column 6, 
lines 61-63 and column 7, lines 31-34). 
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Referring to claim 18, Levergood et al. teaches a method according to claim 9, wherein 
said authentication details include data identifying the rights of access of individual users to one 
or more of said resource servers (column 3, lines 50-52). 

Regarding claim 19, Levergood et al. teaches an authenticating server system adapted to 
perform the method of claim 1 (column 5, lines 48-49 and column 6, lines 58-60). 
3. Claim 5-7, 12, and 14 rejected under 35 U.S. C. 103(a) as being unpatentable over US 
Patent No. 5,708,780 to Levergood et al. in view of Kirsch as applied to claim 1-4, 8-11, 13, 15- 
19 above, and further in view of See et al. 

Regarding claim 5, Levergood et al. teaches of an identifier (column 1, lines 39-41), and 
the reception of an invalid authenticator from said client terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the identifier contains the number of times an invalid 
authenticator was received. See et al. teaches said identifier comprises data indicating the 
number of times an invalid authenticator has been received from said user's client terminal 
(column 3, lines 23-25). Therefore, it would have been obvious to one having ordinary skill in 
the art at the time the invention was made to further modify the internet server access control and 
monitoring system of Levergood et al. by having the identifier contain the number of times an 
invalid authenticator was received because a user can be denied access if they submit multiple 
invalid authenticators thus providing the system with added security and access control. 

Referring to claim 6, Levergood et al. teaches of an identifier (column 1, lines 39-41), 
and the reception of an invalid authenticator from said client terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the system will not issue identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
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have been received from the user. See et al. teaches said method comprising issuing no further 
identifier to said client terminal if an identifier received from said user's client terminal indicates 
that a predetermined number of invalid authenticators have been received from said user's client 
terminal (column 6, lines 23-26). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to further modify the internet server access 
control and monitoring system of Levergood et al. by not issuing identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
have been received from the user because this provides the system with added security and 
access control by not allowing unauthorized users access to server information. 

Regarding claim 7, Levergood et al. teaches of an identifier (column 1, lines 39-41). 

Levergood et al. does not teach of timing out of an identifier. See et al. teaches of timing 
out of said identifier of a terminal of a currently authenticated user if no document request is 
received from said client terminal for a predetermined period (column 7, lines 32-36). Therefore, 
it would have been obvious to one having ordinary skill in the art at the time the invention was 
made to further modify the internet server access control and monitoring system of Levergood et 
al. by timing out an identifier because if a user were to forget to logout of a session another could 
use that workstation to access information that they are not authorized to view and the timing out 
of the identifier lessens the chance of this happening therefore increasing the security of the 
system. 

Referring to claim 12, Levergood et al. teaches of an updating step (column 7, lines 31-34 
and 63-64). 
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Levergood et al. does not teach of the updating step being performed because of a time- 
out. See et al. teaches said updating step is performed in response to a time-out associated with 
said access status data (column 7, lines 32-36 and lines 37-39). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to further 
modify the internet server access control and monitoring system of Levergood et al. by 
performing the updating step because of a time-out because this will give the system up-to-date 
information on the state of the workstation. 

Referring to claim 14, Levergood et al. teaches a method according to claim 12, wherein 
said updating step is performed in response to a request by the client terminal (column 4, lines 1- 
4). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to April L Baugh whose telephone number is 703-305-53 17. The 
examiner can normally be reached on Monday-Friday 7:00am-3 :30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, David A Wiley can be reached on 703-308-5221. The fax phone numbers for the 
organization where this application or proceeding is assigned are 703-746-9149 for regular 
communications and 703-746-9149 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 
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